Jogo
Privacy Policy

Privacy Policy

Jogo App LLC — Studio Management & Class Booking Platform

Effective Date: March 26, 2025·Jurisdiction: Wyoming, United States·jogoapp.developers@gmail.com
01

About This Policy & Who It Covers

Jogo App LLC ("Jogo", "we", "us", or "our") is a Wyoming-registered company that operates a cloud-based studio management and class booking platform ("the Platform"). This Privacy Policy explains how we collect, use, store, and protect personal data in connection with the Platform and all related services.

This policy applies to two distinct groups of people:

  • Studio Operators — fitness and wellness businesses ("Studios") that subscribe to the Platform to manage their operations, members, and communications.
  • Studio Members / End Users — individuals who book classes, hold memberships, or receive communications through a Studio's use of the Platform.

By accessing or using the Platform, Studio Operators agree to this policy and to our Data Processing Agreement, which governs how we handle Member data on their behalf. End Users are subject to this policy as well as the privacy notice of the Studio through which they engage with the Platform.

02

Data Controller vs. Data Processor

Under applicable privacy law, the roles of data controller and data processor carry distinct legal responsibilities.

  • Data Controller — Studio Operator: Determines the purposes and means of processing Member data. Responsible for obtaining lawful consent from Members and providing Members with the Studio's own privacy notice.
  • Data Processor — Jogo App LLC: Processes Member data solely on behalf of and under the instructions of the Studio. Does not use Member data for its own commercial purposes beyond operating the Platform.

Studios are solely responsible for ensuring they have a valid legal basis to collect, store, and use their Members' personal data before onboarding those Members onto the Platform. Jogo shall not be liable for a Studio's failure to comply with applicable data protection laws in their jurisdiction.

03

What Data We Collect and Why

A. Member Data (processed on behalf of Studios)

  • Identity Data: Full name, date of birth (where provided), gender (optional)
  • Contact Data: Email address, phone number, WhatsApp number (where provided)
  • Membership Data: Membership tier, class pack balance, subscription status, join date
  • Attendance Data: Class bookings, attendance history, cancellations, waitlist activity
  • Payment Data: Payment status (paid, failed, pending), membership billing cycle — payment card details are processed directly by our payment processors and never stored by Jogo
  • Communication Data: WhatsApp opt-in status, message delivery status, notification preferences
  • Health-Adjacent Data: Any injuries, physical limitations, or health notes voluntarily entered by the Member or Studio — treated with heightened care

B. Studio Operator Data (collected directly by Jogo)

  • Business Data: Studio name, business address, registration number, VAT/tax ID
  • Contact Data: Owner/admin name, business email, phone number
  • Billing Data: Subscription plan, billing cycle, payment method (processed via Stripe)
  • Usage Data: Platform activity logs, feature usage, login timestamps, IP addresses
  • Configuration Data: Studio settings, class schedules, pricing configurations, staff accounts

C. Automatically Collected Technical Data

When any user accesses the Platform, we automatically collect certain technical data including browser type, device type, operating system, IP address, session duration, pages visited, and error logs. This data is used solely for platform security, performance monitoring, and debugging.

D. Legal Basis for Processing

  • Contractual necessity — to deliver the Platform services to Studios and their Members
  • Legitimate interest — for platform security, fraud prevention, and service improvement
  • Consent — for WhatsApp marketing messages and optional data collection by Studios
  • Legal obligation — for tax record retention and responding to lawful authority requests
04

WhatsApp Messaging

The Platform enables Studios to send WhatsApp notifications to their Members using the WhatsApp Business API, operated by Meta Platforms Ireland Ltd. The following rules govern all WhatsApp messaging conducted through the Platform.

Consent Requirement

A Member must have provided explicit, documented opt-in consent before a Studio may send them any WhatsApp message through the Platform. It is the Studio's sole responsibility to collect, record, and maintain evidence of this consent. Jogo provides the technical infrastructure to honor opt-in and opt-out preferences but does not independently verify that consent was properly obtained.

Types of Messages Sent

  • Transactional notifications: Class booking confirmations, cancellation confirmations, waitlist updates, membership renewal reminders, failed payment alerts
  • Operational messages: Class schedule changes, studio announcements, instructor substitutions
  • Marketing messages: Promotional offers, re-engagement campaigns — require separate explicit opt-in and are subject to Meta's template approval process

Opt-Out

Any Member may opt out of WhatsApp communications at any time by replying STOP to any message or by updating their communication preferences through the Studio's member portal. Opt-out requests will be honored within 24 hours. Studios may not override an opt-out preference or re-enroll a Member without new explicit consent.

Meta's Role

WhatsApp messages are transmitted through Meta's infrastructure. By using WhatsApp-based features on the Platform, Studios and Members acknowledge that Meta processes message data subject to Meta's own Privacy Policy and WhatsApp Business Terms. Jogo does not control and is not responsible for Meta's data processing practices.

Message Logs

Jogo retains message delivery logs (timestamp, delivery status, message template used) for a period of 90 days for debugging and compliance purposes. Message content from Studio-initiated notifications is not stored beyond what Meta's infrastructure retains.

05

Third-Party Services & Data Sharing

We do not sell, rent, or trade personal data to third parties for their own commercial purposes. We share data only with the following service providers who process data on our behalf under contractual data processing agreements:

ProviderPurposeData Shared
Meta / WhatsApp Business APIWhatsApp message deliveryPhone number, message content, delivery status
Firebase (Google LLC)Authentication and file storageEmail, UID, profile photos
Railway (Railway Corp)Database hosting and app infrastructureAll platform data at rest
Stripe Inc.Studio subscription billing (international)Billing contact, payment method tokens
Wompi (Bancolombia)Member payment processing (Colombia / El Salvador)Payment amount, transaction reference
PowerTranz / BAC CredomaticMember payment processing (Nicaragua / Central America)Payment amount, transaction reference

We may also disclose data to law enforcement, government authorities, or courts where required by applicable law or in response to a valid legal process. We will notify affected Studios of such requests where legally permitted to do so.

06

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

  • Active Member Data: Retained for the duration of the Studio's active subscription
  • Deleted Member Records: Purged from active databases within 30 days of deletion request; removed from backups within 90 days
  • Studio Operator Account Data: Retained for the duration of the subscription plus 60 days post-cancellation to allow for data export
  • Billing & Financial Records: Retained for 7 years from the date of transaction to comply with tax and accounting regulations
  • WhatsApp Message Logs: Delivery logs retained for 90 days, then automatically deleted
  • Authentication Logs: IP and login records retained for 90 days for security purposes
  • Anonymized Analytics Data: May be retained indefinitely as it cannot be linked to any individual

Studios may request a full export of their data at any time before account cancellation. Jogo does not guarantee the recoverability of data after the 60-day post-cancellation window.

07

Data Security

Jogo implements technical and organizational security measures appropriate to the risk profile of the data we process. These measures include:

  • All data in transit is encrypted using TLS 1.2 or higher
  • All data at rest is encrypted using AES-256 via Railway's managed PostgreSQL infrastructure
  • Authentication is handled exclusively by Firebase Auth — Jogo does not store user passwords
  • API routes are protected with server-side session verification using Firebase Admin SDK
  • Access to production databases is restricted to authorized personnel on a need-to-know basis
  • Payment card data is never transmitted to or stored on Jogo servers — all card processing is handled directly by Stripe, Wompi, or PowerTranz under PCI-DSS compliance
  • File uploads are stored in Firebase Storage with access-controlled URLs
  • Regular dependency audits and security patches are applied to platform infrastructure

In the event of a data breach that is likely to result in a risk to the rights and freedoms of individuals, Jogo will notify affected Studios within 72 hours of becoming aware of the breach and will cooperate with applicable regulatory authorities as required.

08

Your Rights

Depending on your jurisdiction and your relationship with the Platform, you may have the following rights with respect to your personal data:

  • Right of Access: You may request a copy of the personal data we hold about you
  • Right to Rectification: You may request correction of inaccurate or incomplete data
  • Right to Erasure: You may request deletion of your personal data, subject to legal retention obligations
  • Right to Restriction: You may request that we limit the processing of your data in certain circumstances
  • Right to Portability: You may request a machine-readable export of your data
  • Right to Object: You may object to processing based on legitimate interests, including for direct marketing
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing

To exercise any of these rights, contact us at jogoapp.developers@gmail.com. We will respond to all verified requests within 30 days. We may request proof of identity before processing a request. Studio Members should note that for requests relating to data held by a Studio, we may need to redirect the request to the relevant Studio as the data controller.

09

Children's Data

The Platform is not directed to children under the age of 13. Jogo does not knowingly collect personal data from children under 13 without verifiable parental consent.

Some Studios on the Platform offer classes to minors (individuals under 18). Where a Studio enrolls or processes the data of a minor, the Studio is solely responsible for:

  • Obtaining explicit written parental or guardian consent prior to enrollment
  • Ensuring that any WhatsApp communications relating to a minor are directed to the parent or guardian, not the minor directly
  • Complying with all applicable laws in their jurisdiction governing the collection of minors' data
  • Maintaining records of parental consent and making them available to Jogo upon request

If Jogo becomes aware that personal data of a child under 13 has been collected without appropriate consent, we will take steps to delete such data promptly. Studios found to be in violation of this provision may have their accounts suspended.

10

Jurisdiction-Specific Provisions

Nicaragua

Nicaragua does not currently have a comprehensive personal data protection law. Data processing for Nicaraguan Studios and their Members is governed by constitutional privacy rights and applicable consumer protection regulations. Jogo commits to applying the same security and data handling standards across all markets regardless of local regulatory requirements.

El Salvador

El Salvador does not have a comprehensive data protection statute at the time of this policy's publication. Data rights for Salvadoran residents are grounded in constitutional provisions on privacy and dignity. Jogo processes data for Salvadoran Studios in accordance with the same standards applied across all markets, and monitors legislative developments in the region.

Mexico

Mexico's Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) and its Reglamento apply to the processing of personal data of Mexican residents. Under this framework, Studios operating in Mexico are responsible for maintaining an Aviso de Privacidad accessible to their Members. Jogo, as a data processor acting under Studio instruction, supports Studios in fulfilling their obligations under the LFPDPPP. Data subjects in Mexico have ARCO rights (Acceso, Rectificación, Cancelación, Oposición) which may be exercised through the Studio or directly with Jogo at jogoapp.developers@gmail.com.

United States (Wyoming)

Jogo App LLC is incorporated in Wyoming. While Wyoming does not currently have a comprehensive consumer privacy law, Jogo respects applicable federal privacy laws and monitors state-level legislative developments. For any Studios or Members located in California, the California Consumer Privacy Act (CCPA) may apply, and such individuals have the right to know, delete, and opt out of the sale of their personal information. Jogo does not sell personal information.

11

Google User Data (Sign-In & Calendar)

The Platform offers optional features that rely on Google APIs. Where you choose to use them, Jogo accesses limited Google account data through Google's secure OAuth consent flow. You may decline these features and continue using the Platform, and you may revoke Jogo's access at any time.

Google Sign-In

If you sign in with Google, we receive your basic Google profile information — name, email address, and profile photo — through Firebase Authentication. We use this solely to create and secure your account. We never receive your Google password.

Google Calendar

If you connect Google Calendar from your profile, you grant Jogo permission to keep your class bookings in sync with your personal calendar. Specifically:

  • What we access: Calendar events that Jogo creates on your behalf. When you book or reserve a class, we add a corresponding event to your Google Calendar and update or remove it when the class changes or you cancel.
  • What we do not access: We do not read, collect, or store the contents of any other events in your calendar.
  • How we use it: Solely to provide the calendar-sync feature you enabled. We never use Google Calendar data for advertising, profiling, or any unrelated purpose.
  • What we store: Only the Google-generated identifiers of the events we create, linked to your bookings, so we can keep them up to date — never the full contents of your calendar.
  • Sharing: We never sell or transfer your Google Calendar data. It is processed only by the infrastructure providers listed in Section 05 (Firebase and Railway) on our behalf, strictly to operate this feature.
  • Your control: You can disconnect Google Calendar at any time from your Jogo profile, or revoke Jogo's access from your Google Account at myaccount.google.com/permissions. On disconnection we stop accessing your calendar and delete the stored event references within 30 days.

Limited Use

Jogo's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

12

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the Effective Date at the top of this document
  • Notify Studio Operators via email at least 30 days prior to the change taking effect
  • Display a prominent notice within the Platform dashboard
  • Maintain an accessible version history of prior policies upon request

Your continued use of the Platform after the effective date of any updated policy constitutes acceptance of the revised terms. If you do not agree with a material change, you may terminate your subscription before the change takes effect.

13

Contact Us

For all privacy-related inquiries, data rights requests, or concerns regarding this policy, please contact us at:

Jogo App LLC

jogoapp.developers@gmail.com

Incorporated in Wyoming, USA

Response time: within 30 days

We are committed to resolving complaints about the collection or use of your personal data. If you are not satisfied with our response, you may have the right to lodge a complaint with the data protection authority in your country of residence.

This Privacy Policy does not constitute legal advice. Jogo App LLC recommends that Studios operating in regulated markets, particularly Mexico under the LFPDPPP, consult with a local data protection attorney to ensure full compliance with applicable law.